Draft - Work In Progress

Basic configuration

Common changes that should be part of all IIS installations.

Disable directoryBrowsing

Directory browsing gives the user the ability to just navigate to http://server/directory/ and get a list of all files in the directory. This was useful when web servers were primarily file servers, but is clearly a security problem now.

2) or Navigate to IIS in the Server Manager, and uncheck Directory Browsing under Common HTTP Features.

Avoid wildcard host headers

IIS 10.0 has added wildcard host headers. This means that if there is a website hosted for a domain, the server will handle requests for any subdomain, allowing the developer to make decisions based on the request as how to respond.

In general, this is a bad idea and shouldn't be used. There are very specific reasons to use them, but it is almost guaranteed that your situation isn't one of them.

Certainly, do not use wildcard domains, like http://* for example. But in general avoid using them at all. Instead use site bindings to solve the same problem.

Ensure applicationPoolIdentity is configured for all application pools

Use an unique applicationPool per site

Application bools are designed to create a collection of sites that can be restarted together, and have a common max memory limit, and some other features. With today's applications, it is best if there is a unique application pool for each site. Perhaps if there is a separate project for services and the front end of an application, then they could go together in one pool but for the majority of applications, one pool per app.=

There are two ways to configure application pools for IIS.

1)In IIS Manager, expand Sites in the Connections pane. Then click Advanced Settings, then the ellipsis button next to Application Pool. Select a unique pool there.